US20120047569A1 - Method for providing terminals of ims network with firewall and firewall system - Google Patents
Method for providing terminals of ims network with firewall and firewall system Download PDFInfo
- Publication number
- US20120047569A1 US20120047569A1 US12/998,633 US99863309A US2012047569A1 US 20120047569 A1 US20120047569 A1 US 20120047569A1 US 99863309 A US99863309 A US 99863309A US 2012047569 A1 US2012047569 A1 US 2012047569A1
- Authority
- US
- United States
- Prior art keywords
- firewall
- terminal
- network
- identification information
- firewall system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/1016—IP multimedia subsystem [IMS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/128—Anti-malware arrangements, e.g. protection against SMS fraud or mobile malware
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/02—Inter-networking arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
Definitions
- This invention relates to network communication, and more particularly, relates to a method and system for enhancing the communication security of terminals in an IMS network.
- firewall In order to prevent network resources from network attacks, firewall is proposed to guarantee the security of networks. By the use of firewall, a protection over data is realized and network resources are shielded from potential ravages of network intruders.
- a successful firewall allows network elements to communicate and interact with other communication nodes while ensuring the network elements not to subject to attack or unauthorized inquiry or the like from networks.
- IMS IP Multimedia Subsystem
- IP Multimedia Subsystem IP Multimedia Subsystem
- the system combines a plurality of technologies, such as cellular mobile communication networks, traditional fixed networks and Internet or the like, to provide a universal service intelligence platform for the future whole IP network-based multimedia applications, and to provide a technical basis for network convergence in the future network development as well.
- the plenty of characteristics of the IMS enable it to be an ideal solution for achieving future network convergence and a direction of development.
- the IMS network Since the IMS network is connected with the internet, an IP protocol-based and open network architecture enables various different services to share a service platform by employing a plurality of various access manners, thus increases the flexibility of networks and intercommunity among terminals.
- the security requirements of the IMS are much higher than that of operations on independent networks by traditional operators due to the IMS is established on the basis of IP, so the security problem of the IMS cannot be ignored no matter the mobile access or fixed access.
- it is of critical importance for communication terminals in the IMS network as network elements communicating and interacting with public networks, to have their own firewalls to protect themselves from attacks and unauthorized access.
- not all the IMS terminals have enough memory and computing ability to run the firewall.
- firewall maintenance is also a problem, for example, whether the firewall is updated timely, whether it's configured correctly, whether the firewall system is powerful enough, etc.
- maintaining a network security configuration means a big workload for the IMS users, especially for the users who don't have enough related knowledge—users not only have to spend a lot of time and efforts on it, but also need to possess sufficient knowledge relating to the network security, at least to the use of the firewall.
- telecommunication networks own more mobile devices (e.g. mobile phone, PDA, etc.) than ordinary computer networks. But different from PC, these mobile devices normally lack of enough resources (e.g. CPU, memory, etc.) to run firewalls of high performance, and additionally, many legacy access devices, such as old telephone devices, are unqualified to install firewall software/hardware. In fact, the potential security dangerous of such mobile devices needs to be eliminated immediately. Therefore, how to relieve the burden of the IMS terminal users on firewall operation and configuration while protecting the security of the terminals in the IMS network is a problem to be solved urgently.
- this invention proposes a method of providing firewall to terminals in the IMS network and a firewall system for providing the IMS network terminals with security protection, to relieve the burden of the IMS network terminals on firewall operation or configuration, or even completely eliminate such burden.
- a method of providing a firewall to a terminal in an IMS network comprising the steps of:
- the network element is S-CSCF or its trusting party.
- the identification information of the terminal and firewall system comprises their IP address, MAC address, user ID, firewall serial number or any combination of above.
- the firewall system sends its identification information to the network element sending the request or its trusting party, and then the network element sending the request or its trusting party sends said identification information to said terminal, or the firewall system sends its identification information to the network element sending the request or its trusting party and said terminal respectively, or the firewall system sends its identification information to either of the network element sending the request or its trusting party, and said terminal.
- the network element sending the request or its trusting party sends the identification information of the firewall system to said terminal and related network elements.
- said sending may be performed when/after sending said request message to said firewall system, or when/after determining sending said request message to said firewall system.
- the default setting is that once said terminal enters the IMS network and initiates a registration request or session request, the network element sending the request or its trusting party will sends a request for providing a firewall to the terminal to said firewall system.
- identification information is carried in the registration request or session request about whether there is a need to provide a firewall for the terminal, or whether there is a need for said firewall system to provide a specific service.
- the network element sending the request or its trusting party identifies the identification information carried in the request sent by said terminal, and does not send a request of providing the terminal with a firewall if said identification information indicates that there is no need to provide a firewall for said terminal.
- the firewall system identifies the identification information carried in the request sent by said terminal, and does not provide said terminal with a firewall service if said identification information indicates that there is no need to provide a firewall for said terminal.
- the firewall system identifies the identification information carried in the request sent by said terminal, and provides said terminal with a required specific firewall service if said identification information indicates that there is a need to provide a specific firewall service for said terminal.
- said specific firewall service is managing all the communication activities between said terminal and said other network elements, or managing a part of communication activities between said terminal and said other network elements.
- said firewall system provides a configuration module for said terminal, by which the terminal can set said firewall as not managing, partly managing or completely managing the communication activities between it and said other network elements.
- said part of communication activities may be classified in accordance with the type of communication protocols, the location area of other network elements locate in, the type of the resources that said terminal is to visit/is visited, the security level, the sensitivity degree, the degree of privacy, etc.
- a firewall system in IMS network comprising:
- a firewall system in IMS network comprising:
- the communication management module identifies identification information carried in said request indicating whether or not the terminal needs a firewall service and/or whether a specific service is required; if it identifies the carried identification information indicating that there is no need to provide a firewall for said terminal, said firewall system will not provide said terminal with a firewall service, and will provide a specific service to said terminal if there is a need to provide a specific service for said terminal.
- said firewall system further comprises a configuration module, used for providing a configuration function for said terminal user.
- a firewall system in the IMS network for acquiring an identification information of a terminal when receiving a request for providing the terminal with a firewall from the network element, and managing at least part of communication activities between said terminal and other network elements, wherein, said other network elements include network elements in the IMS network and/or network elements in communication with said terminal via the IMS network.
- a network element in IMS network comprising:
- said network element may be implemented through software, hardware or combinations thereof.
- a terminal for accessing to the IMS network comprising:
- an IMS network system comprising:
- an IMS network system comprising the terminal in the IMS network, the network element in the IMS network and the firewall system as stated above.
- a computer program product comprising executable codes for performing any one of the above methods, or for performing any one of the above firewall systems or network elements or terminals.
- the method and firewall system of this invention are capable of significantly relieve the burden of the IMS terminal users, or even completely eliminate such burden while protecting the security of the transactions between the IMS terminals and networks.
- a protection of dual firewalls is afforded to them by the method and system of this invention, and the terminals are also provided with value-added services such as update assistance, configuration assistance, etc by employing this invention thus relieve their burden.
- the firewall system of this invention can be selected for providing protecting for them, and thereby the burden on the terminals is thoroughly eliminated.
- the firewall proposed by this invention is a system that being deployed in the IMS network and independent from the IMS terminals, it does not use any resource on user equipments. Furthermore, the users don't need to take any effort for maintenance since it's undertaken by service providers. Moreover, compared with the firewall running on the IMS terminals, the firewall system can be more powerful and updated timely to better protect the communication security of the IMS terminals.
- FIG. 1 illustrates a network architecture of providing a firewall system for the IMS terminal according to the embodiments of this invention
- FIG. 2 illustrates an exemplary structure of the firewall system according to the embodiments of this invention
- FIG. 3 illustrates the exemplary structure of the S-CSCF in the IMS network according to the embodiments of this invention
- FIG. 4 illustrates the exemplary structure of the IMS terminal according to the embodiments of this invention
- FIG. 5 illustrates the flow chart of the IMS terminal initiating registration or session when entering the IMS network according to the embodiments of this invention.
- FIG. 1 shows an illustrative network architecture of providing a firewall system for the IMS terminal.
- a user equipment visits the IMS network from an access network
- the UE can be any terminal having communicating ability, for example, fixed terminal like desktop, or mobile terminals such as PDA (Personal Digital Assistance), handset, notebook, portable communication device or the like.
- the access network can be an IP-CAN (IP Connectivity Access Network), such as GPRS (in GSM/UMTS networks), ADSL (in Asymmetric Digital Subscriber Line) or WLAN (in Wireless Local Area Network).
- the IMS network illustrated in FIG. 1 can include various network elements, e.g.
- FIG. 1 also shows the Internet or other public networks coupled to the IMS network, wherein, said other public networks may be any types of networks that can connect with the IMS network and be visited via the IMS network.
- a firewall system is introduced into IMS network to protect the IMS terminals.
- the firewall system in the IMS network protects the security of the communication session and resource of the UE.
- the default setting can be configured as all the user equipments registered to the IMS network have the service. In other words, it is default that the firewall system manages all the issues about the security of all the IMS terminals. For the user equipments having this service, all the communication sessions/connections between the UE and other communication devices will be managed by the firewall system.
- Such other communication devices comprise
- network elements in the IMS network i.e., network elements generally involved when a UE establishes sessions/connections with other communication nodes, according to the used network specifications/protocols/specific configurations during usage, such as P-CSCF, I-CSCF, S-CSCF or the like.
- Other network elements in the IMS network namely, the communicating parties which UE will communicate with.
- they may also be called as “unrelated network elements”, that is, network elements that are normally unnecessary to be involved when a UE establishes sessions/connections with other communication nodes, according to specific network specifications/protocols/detailed settings (of course, the expression of “unnecessary to be involved” here is not absolute, for instance, when a UE intends to communicate with S-CSCF, obviously, S-CSCF is the so-called communicating party of UE).
- IMS network elements that will communicate with UE via the IMS network, such as from the Internet and public networks shown in FIG. 1 .
- the firewall system acts as a UE's agent in the IMS network, so that any information from the UE must go through the firewall system first and then being sent to other network elements in the IMS network, and any information towards the UE via the IMS network will also needs to pass the firewall system first and then being sent to the UE, whereby a safe communication between the UE and public networks is guaranteed.
- FIG. 2 illustrates the exemplary structural diagram of the firewall system.
- the firewall system comprises: a communication interface, for receiving information from other network elements such as UE, S-CSCF or the like, and for transmitting related information to them; an information acquisition module, for acquiring the identification information of a terminal when receiving a request for providing the terminal with a firewall from the S-CSCF or its trusting party via the communication interface; a communication management module, for transmitting the identification information of the firewall system to the terminal and/or related network elements via the communication interface after receiving the identification information of the terminal, and managing at least a part of communication activities between the terminal and other network elements.
- the other network elements include network elements in the IMS network and/or network elements to be communicated with said terminal via the IMS network.
- FIG. 2 further illustrates other components that can be included in the firewall system. It should be noted that, although FIG. 2 has illustrated these components, they are unnecessary for implementing the firewall system of this invention. In other words, these components enable the firewall system of the invention to provide additional/enhanced functions for UE.
- the firewall system of the invention also provides a configuration module for users to change their firewall configurations as required.
- firewall configuration services will be provided for users through the configuration module.
- users can make configurations through the configuration module, and the users' configurations are implemented by the communication management module.
- the firewall system can generate corresponding configuration files for users, and store them in the user information database.
- the user information database may operate on the same physical node with the firewall system, and may also be distributed on other physical nodes or background servers.
- users can configure which communication activities thereof can be managed by firewall system, e.g. only a part of their communication activities will be managed, instead of all the communication activities thereof.
- the users may configure that not to be managed by the firewall system though the configuration module.
- the users may still accept the management of the firewall system (at this time, both the firewall running on the UE and the firewall system of the invention are used to protect the communication safety of the UE, that is to say, the UE gets a dual protection).
- the invention has offered the UE users an approach to relieve their burden.
- the configuration module can also provide other value-added services for the UE users.
- corresponding configurations are made through the configuration module for the UE that has installed a firewall, and the firewall system of the invention can provide various supports for the firewall running on UE:
- Hole scanning scanning the UE to check whether there is a security hole (for instance, whether a latest operating system (OS) path is installed on the UE, whether the software operating on the UE will cause a security problem, etc.).
- the scanning result will be notified to the user, or automatically repair the holes based on the configurations of the user.
- OS operating system
- Real-time updating which provides UE with real-time updates or safe downloading paths.
- the firewall system of the invention itself can conduct real-time updates, it generally can provide all kinds of real-time update information necessary for the firewall operating on the UE. So it is not necessary for the UE to obtain updates from other public networks such as the Internet or the like or other communication nodes via the IMS network, whereby the traffic in the network is reduced and the possibility of network congestion is decreased. Additionally, this prevents the UE from downloading updates from unsafe sites, or avoids possible attacks during downloading updates, whereby the communication safety of the UE is enhanced. Meanwhile, it shortens the latency of UE for obtaining updates, whereby the quality of service QoS is improved.
- Checking updates it notifies the user of installing corresponding updates when discovering there is an uninstalled update on the UE, or automatically install updates based on the user's configuration.
- Providing configuration assistance it can provide a more abundant technical support for the user to configure UE's own firewall, such as explanation documents and demonstration video, or can also enable the firewall system instead of the user to perform some configurations on the firewall operating on the UE through the user's configurations. In this manner, the firewall system can assist the user to maintain the firewall on his or her equipment. Hence, it makes the firewall maintenance work much easier for those users who are lack of relevant experience/knowledge.
- Fault repairing it means that if the user conducts corresponding configurations via the configuration interface of the firewall system, when the firewall operating on the UE malfunctions, the UE may send a fault report or alert to both of the user and firewall system, or may only send it to the firewall system (specific implementing ways are dependent on the settings of the user). Furthermore, it can enable the firewall system to automatically repair the fault in the UE based on the settings of the user. In this case, once the communication interface of the firewall system receives any abnormal message from the UE, the firewall system can take the place of the user to conduct corresponding repairing/recovering work on his or her firewall.
- Enabling and disabling of the firewall operating on the UE namely, based on the settings of the user, disabling the firewall operating on the UE when the UE connects to the firewall system, and enabling the firewall operating on the UE when the UE disconnects with the firewall system.
- This function helps to apply the resource of E to more important tasks, while the work of protecting the UE is provisioned by the firewall system of the invention.
- Generating configuration files namely, according to the settings of the user, applying by default the settings in the generated configuration files to the UE next time the UE accesses to the IMS network, unless the user updates the configuration.
- Anti-virus function namely, according to the settings of the user, assisting the UE or replacing the anti-virus software on the UE to perform anti-virus protection, scanning, virus database updates, etc.
- the firewall system of the invention can provide the UE with two functions of a firewall and anti-virus/virus killing, whereby the burden of the UE is further relieved.
- a database or storage medium may be disposed in the firewall system to store the configuration information of the user, or information databases or engines corresponding to each of the above functions may be disposed respectively.
- the firewall system may also be linked to a more powerful background database, or a separate database or engine, such as a hole scanning engine/hole database, an information update engine/database, a update checking engine, a configuration checking engine, a configuration assistance engine (which may include/connected to explanation document database, video demonstration database or the like), a fault repairing engine, a user configuration information database, a virus database, etc.
- FIG. 3 illustrates the exemplary structure of the network element such as the S-CSCF in the IMS network.
- the network element comprises a communication interface, for transceiving information; a service control module, for determining whether or not the terminal needs a firewall service when receiving a registration request/session request from the terminal (as stated above, the default setting here may be the terminal needs the service, or determining by means of the identification information set by the terminal in the sent request); and if yes, sending a request message of providing a firewall service for said terminal to the firewall system; a communication control module, for sending said identification information to said terminal when it receives identification information identifying the firewall system from the firewall system via the communication interface, or for sending the stored identification information of said firewall system to said terminal after determining there is a need to send said request message; additionally, the communication control module is used to send all the information towards said terminal to said firewall system, and then send the information to the terminal by the firewall system.
- the above functions implemented by the S-CSCF can be totally or partly transferred to its trusting party, and it is this trusting party implementing corresponding functions.
- the trusting party takes charge of the above functions, it can communicate with the components in the IMS network like S-CSCF if needed.
- FIG. 4 illustrates an exemplary structure of the terminal accessing the IMS network.
- the terminal comprises: a communication interface, for transceiving information; an identification information acquisition module, for acquiring an identification information when receiving via the communication interface a message including the identification information of a firewall from a S-CSCF or its trusting party, or a firewall system; and a communication management module, for every time the terminal needs to communicate with the other network elements, sending corresponding communication information to said other network elements via said firewall system after acquiring said identification information, wherein, said other network elements comprise network elements in the IMS network and/or network elements to be in a communication with said terminal via the IMS network.
- FIG. 5 illustrates the flow of registration phase/initiating a session being performed when the UE accesses to an IMS network including the firewall system of this invention via an access network.
- Steps 1 - 5 shown in FIG. 5 is the process of initiating session/registration by the UE in the prior art: UE sends a registration message to P-CSCF which then forwards it to I-CSCF.
- I-CSCF selects S-CSCF for the user by inquiring HSS (for example, through a Cx interface used in the specifications). Subsequently, the S-CSCF interacts with the HSS, and performs user authentication. Specifically, the S-CSCF downloads a user profile from the HSS.
- the user profile is relatively important information, and besides user information, it further includes filtering rules of deciding when to forward the SIP request to an application server that provides services, while these filtering rules constitute a set of trigger conditions.
- filtering rules As a service in the IMS network, the triggering of the firewall service of this invention may also be saved in the filtering rules.
- Steps 6 and 7 Based on the filtering rules, the S-CSCF can decide whether the request from UE needs to go though one or more application servers which provide services to the user. Although the S-CSCF does not provide the specific service requested, it triggers the application servers to perform these services. If the user has a firewall service (the default setting is that all the users have this service), the S-CSCF will send registration information to the firewall system, such as the “F/W request” in FIG. 5 .
- This request includes the identification information of the UE, such as the address information of UE; in addition, depending on the specific performance of the firewall system, information such as the address of the P-CSCF, home network contact information, user identification (public user identification and private user identification) or the like can be comprised in the request according to actual needs.
- said identification information can be any types of information capable of uniquely identifying UE, which may be in form of numbers, alphabets, characters, or combinations thereof. Moreover, it can be of any kinds, for instance, MAC address, user ID, the IP address of UE, etc, or any combinations of above information.
- Step 8 The firewall executes a necessary authorization check on the user based on for example user identification or other information, to assure that he or she is authorized to use the service provided by the firewall system.
- a necessary authorization check is beneficial, but of course, the check is not compulsory, and whether to perform the check or not is dependent on specific application requirements.
- service control can be conducted at S-CSCF, i.e. judging whether UE is a user authorized to access to the IMS network, and then Step 8 can be omitted at the firewall system.
- Steps 9 , 10 and 11 If UE is an authorized user of the firewall system, the firewall system will send a 200 (OK) message to UE, Step 9 .
- this message includes identification information. that can uniquely identify the firewall, such as address information, so that UE and other related IMS components (such as P-CSCF and S-CSCF) know it's the firewall of UE.
- UE and other related IMS components Once receiving this message, UE and other related IMS components will update their related configurations. Specifically, UE will store the address of the firewall as an address to contact with the network. After that, all the requests sent from UE will be sent to the firewall system first, then these requests will be forwarded to the correct address in the network by the firewall system. Other network elements in communication with the UE will store the address of the firewall and use it to replace the address of UE. Then, all the messages between the network and UE will be forwarded by the firewall system.
- the address information of the firewall may be added by the S-CSCF rather than by the firewall system, and in Step 10 , the 200 (OK) message that has been added the address information of the firewall is sent to the P-CSCF which will then send it to UE, i.e. Step 11 .
- the firewall may not send the 200 (OK) message in sequence to the S-CSCF, P-CSCF and UE, as shown in the FIG. 5 .
- it may respectively send the message to the S-CSCF and UE.
- the firewall may directly send the 200 (OK) message to UE, and the transmission of the 200 (OK) message between the firewall and UE may use other protocols (such as H323, HTTP or the like).
- the firewall system may only send the 200 (OK) message to UE, and let UE notify S-CSCF (a similar processing will be conducted in the case that the 200 (OK) message is only sent to S-CSCF)
- the above manners can be flexibly selected for the transmission of the 200 (OK) message according to specific application configurations.
- Steps 12 , 13 and 14 Once the update is completed, 200 (OK) response will be sent back to the firewall system to notify the connectivity between the UE and firewall system in the IMS network. Then, the firewall system will work between the UE and IMS network for providing services to UE.
- UE may also not to send the 200 (OK) response in sequence to the P-CSCF, S-CSCF and firewall system, but send the response to P-CSCF and firewall system respectively, then let P-CSCF forward it to S-CSCF.
- the 200 (OK) message can also not be sent back, instead, after a predefined time, communications between UE and IMS network will be managed via the firewall system.
- the firewall system of this invention In other works, before UE leaves the IMS network, all the communication activities between UE and other network elements in the IMS network, or between UE and network elements in communication with UE via the IMS network, will go through the firewall system of this invention. However, if the user conducts a specific configuration, such a configuration will be used on a higher priority.
- UE in case UE itself operates a firewall, then it can make various settings mentioned hereinabove through the configuration module offered by the firewall system so that corresponding configuration files can be generated in the firewall system.
- S-CSCF related data can be arranged be maintained by S-CSCF or obtained by interacting with the firewall system
- firewall system discovers configuration information relating to UE, an existing configuration may be employed on UE.
- the UE can be arranged as adding into the registration request sent in Step 1 identification/characteristic information about whether or not the firewall system services is required, or which particular kind(s) of services provided by firewall system is required. In this way, if UE does not have a firewall service, then S-CSCF only needs to take UE as an ordinary IMS terminal to process the prior art does.
- an IMS network includes the firewall system of this invention
- all the communications between UE and IMS network as well as public networks are managed by the firewall system. Every request from/to UE over the IMS network will go through the firewall.
- the firewall can shield attacks from the IMS network and other public networks connected (wired or wireless) to IMS. Consequently, the problem that there is no network-level firewall for user equipments in the existing IMS network and users can only assure their communication safety by means of firewalls operating on the terminals is overcome.
- firewall system of this invention is capable of shielding UE from attacks originating from IMS network and external networks via the IMS network. But for the cases that access networks are not secure networks or some user equipments carrying sensitive information, a more comprehensive protection may be desired.
- a VPN connection can be employed between UE and firewall system, whereby attacks from access networks can be shielded for UE.
- Such VPN connection may be any type of VPN connections suitable for UE and firewall system, e.g. MPLS VPN, IPSec VPN, etc.
- the IMS network terminals in this invention refer to communicating parties having wireless/wired communicating ability that are positioned in the IMS network, or access to the IMS network via various types of access networks.
- the network elements in this invention also be called as communication nodes or communication units, refer to entities having communicating ability in the network, which can be implemented by software, hardware or combinations thereof.
- the entities in this invention can be implemented by software, hardware or combinations thereof. In the process of implementation, a further combination or a further splitting can be conducted on the modules and interfaces described in this invention.
- various entities in the IMS network and the firewall system in this invention may be independent or distributive. In addition, they may locate on a single communication node in the network, or on a same communication node in the network. For example, the firewall system is totally/partly located on the communication node where the S-CSCF is located, and the communication node may include a whole/part of the implementation of the S-CSCF.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2009/070275 WO2010083648A1 (zh) | 2009-01-22 | 2009-01-22 | 用于为ims网络的终端提供防火墙的方法及防火墙系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
US20120047569A1 true US20120047569A1 (en) | 2012-02-23 |
Family
ID=42355490
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/998,633 Abandoned US20120047569A1 (en) | 2009-01-22 | 2009-01-22 | Method for providing terminals of ims network with firewall and firewall system |
Country Status (6)
Country | Link |
---|---|
US (1) | US20120047569A1 (zh) |
EP (1) | EP2391059A4 (zh) |
JP (1) | JP5694954B2 (zh) |
KR (1) | KR101520142B1 (zh) |
CN (1) | CN102160331A (zh) |
WO (1) | WO2010083648A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8805972B1 (en) * | 2013-06-26 | 2014-08-12 | Kaspersky Lab Zao | Multi-platform operational objective configurator for computing devices |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103905413B (zh) * | 2012-12-28 | 2017-05-03 | 中国移动通信集团北京有限公司 | 一种核心网信令传输方法及系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198125A1 (en) * | 2004-01-26 | 2005-09-08 | Macleod Beck Christopher C. | Methods and system for creating and managing identity oriented networked communication |
US20080229088A1 (en) * | 2007-03-12 | 2008-09-18 | Nokia Siemens Networks Gmbh & Co. Kg | Method, a device for configuring at least one firewall and a system comprising such device |
US20100095361A1 (en) * | 2008-10-10 | 2010-04-15 | Wenhua Wang | Signaling security for IP multimedia services |
US8191116B1 (en) * | 2005-08-29 | 2012-05-29 | At&T Mobility Ii Llc | User equipment validation in an IP network |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1251446C (zh) * | 2002-07-18 | 2006-04-12 | 华为技术有限公司 | 一种防御网络传输控制协议同步报文泛滥攻击的方法 |
JP2004220120A (ja) * | 2003-01-09 | 2004-08-05 | Nippon Telegr & Teleph Corp <Ntt> | ネットワークセキュリティシステム、アクセス制御方法、認証機構、ファイアウォール機構、認証機構プログラム、ファイアウォール機構プログラム及びその記録媒体 |
CN100484134C (zh) * | 2003-10-10 | 2009-04-29 | 华为技术有限公司 | 下一代网络业务穿越网络地址转换设备/防火墙的方法 |
US7372840B2 (en) * | 2003-11-25 | 2008-05-13 | Nokia Corporation | Filtering of dynamic flows |
JP4648148B2 (ja) * | 2005-09-30 | 2011-03-09 | 富士通株式会社 | 接続支援装置 |
CN101102185B (zh) * | 2006-07-06 | 2012-03-21 | 朗迅科技公司 | Ims会话的媒体安全 |
CN100514939C (zh) * | 2006-12-01 | 2009-07-15 | 中国联合网络通信集团有限公司 | Ip多媒体通信业务处理系统及实现ip多媒体通信的方法 |
CN100583737C (zh) * | 2007-05-22 | 2010-01-20 | 网御神州科技(北京)有限公司 | 一种基于用户的安全访问控制的方法及装置 |
-
2009
- 2009-01-22 KR KR1020117016252A patent/KR101520142B1/ko not_active IP Right Cessation
- 2009-01-22 EP EP09838615.4A patent/EP2391059A4/en not_active Withdrawn
- 2009-01-22 WO PCT/CN2009/070275 patent/WO2010083648A1/zh active Application Filing
- 2009-01-22 JP JP2011546565A patent/JP5694954B2/ja not_active Expired - Fee Related
- 2009-01-22 CN CN2009801363809A patent/CN102160331A/zh active Pending
- 2009-01-22 US US12/998,633 patent/US20120047569A1/en not_active Abandoned
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198125A1 (en) * | 2004-01-26 | 2005-09-08 | Macleod Beck Christopher C. | Methods and system for creating and managing identity oriented networked communication |
US8191116B1 (en) * | 2005-08-29 | 2012-05-29 | At&T Mobility Ii Llc | User equipment validation in an IP network |
US20080229088A1 (en) * | 2007-03-12 | 2008-09-18 | Nokia Siemens Networks Gmbh & Co. Kg | Method, a device for configuring at least one firewall and a system comprising such device |
US20100095361A1 (en) * | 2008-10-10 | 2010-04-15 | Wenhua Wang | Signaling security for IP multimedia services |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8805972B1 (en) * | 2013-06-26 | 2014-08-12 | Kaspersky Lab Zao | Multi-platform operational objective configurator for computing devices |
Also Published As
Publication number | Publication date |
---|---|
KR20110105802A (ko) | 2011-09-27 |
EP2391059A1 (en) | 2011-11-30 |
JP2012516081A (ja) | 2012-07-12 |
CN102160331A (zh) | 2011-08-17 |
JP5694954B2 (ja) | 2015-04-01 |
EP2391059A4 (en) | 2013-05-01 |
KR101520142B1 (ko) | 2015-05-13 |
WO2010083648A1 (zh) | 2010-07-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11489878B2 (en) | Mobile device security, device management, and policy enforcement in a cloud-based system | |
US9609460B2 (en) | Cloud based mobile device security and policy enforcement | |
US9473537B2 (en) | Cloud based mobile device management systems and methods | |
US9531758B2 (en) | Dynamic user identification and policy enforcement in cloud-based secure web gateways | |
US9065800B2 (en) | Dynamic user identification and policy enforcement in cloud-based secure web gateways | |
CN105933279B (zh) | 用于企业无线呼叫的系统、方法、装置及机器可读介质 | |
US9621574B2 (en) | Out of band end user notification systems and methods for security events related to non-browser mobile applications | |
US11297058B2 (en) | Systems and methods using a cloud proxy for mobile device management and policy | |
CN114500308B (zh) | 移动网络中的多接入分布式边缘安全性 | |
US20180183794A1 (en) | Systems and methods for cloud based unified service discovery and secure availability | |
US8578456B2 (en) | Authentication in an IP multimedia subsystem network where an in-use line identifier (LID) does not match a registered LID | |
US20110191844A1 (en) | Techniques for managing security in next generation communication networks | |
JP2012147478A (ja) | 非3gppアクセスネットワーク経由のアクセス | |
CN109274512B (zh) | 一种代理呼叫业务控制功能的管理方法及装置 | |
US12022576B2 (en) | Cloud-based interworking gateway service | |
JP2022502913A (ja) | モバイルネットワークにおけるネットワークスライスベースのセキュリティ | |
US11405764B2 (en) | Multiple parallel WebRTC accesses to IMS | |
Hu et al. | Uncovering insecure designs of cellular emergency services (911) | |
US20120047569A1 (en) | Method for providing terminals of ims network with firewall and firewall system | |
US20240015512A1 (en) | Content Filtering Support for Protocols with Encrypted Domain Name Server | |
Chen et al. | Taming the Insecurity of Cellular Emergency Services (9-1-1): From Vulnerabilities to Secure Designs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ALCATEL LUCENT, FRANCE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:WANG, ZHI;REEL/FRAME:026374/0391 Effective date: 20110503 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:LUCENT, ALCATEL;REEL/FRAME:029821/0001 Effective date: 20130130 Owner name: CREDIT SUISSE AG, NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:ALCATEL LUCENT;REEL/FRAME:029821/0001 Effective date: 20130130 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: ALCATEL LUCENT, FRANCE Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG;REEL/FRAME:033868/0555 Effective date: 20140819 |